Title
#general
a

A

05/04/2022, 12:51 PM
Hi, I was trying to find information regarding data collection. Do you perhaps have any information about that? And maybe osquerys take on GDPR?
a

alessandrogario

05/04/2022, 1:04 PM
Is this maybe more like a fleet management solution question (about maybe audit logs, and things automatically acquired on user machines)? osquery itself is just a data collection tool and what you acquire depends on what kind of queries are being run and where (a server, a personal machine, or a company laptop)
1:05 PM
You may also have extensions installed that include additional capabilities not covered by the core tables
a

A

05/04/2022, 1:15 PM
I was thinking of, if I download the app on a mac does my data that is collected end up in the cloud or such? πŸ™‚
a

alessandrogario

05/04/2022, 1:16 PM
It is up to you or the person that configures osquery
1:16 PM
It does not send anything anywhere on its own
1:17 PM
osqueryi
(or
osqueryd -S
) works as a shell and does 0 logging
1:17 PM
osqueryd
(in daemon mode) only logs to file system
a

A

05/04/2022, 1:17 PM
Perfect! Thank you for the info! fyi. @Daniel_
a

alessandrogario

05/04/2022, 1:17 PM
but sensitive data (if any) is likely in the results log, and that depends on what queries are running
1:18 PM
queries are run from query packs, from adhoc queries (through a fleet management solution, such as Kolide or fleetdm)
a

A

05/04/2022, 1:18 PM
We are looking for an alternative for sysmon but for Mac!
a

alessandrogario

05/04/2022, 1:19 PM
from distributed queries (also from fleet management solution), and from the extension socket (other osquery shells connecting to it, or osquery extensions providing additional functionality)
1:19 PM
it all requires configuration, and the admin deploying osquery should probably know what is happening in the deployment
a

A

05/04/2022, 1:20 PM
Awesome!
a

alessandrogario

05/04/2022, 1:20 PM
I don't think osquery can replace sysmon, but the endpoint security based tables could provide some of the same features
a

A

05/04/2022, 1:21 PM
i mean sysmon does not work for mac only windows.. we just want to see the same data in splunk for mac clients
a

alessandrogario

05/04/2022, 1:22 PM
You can see what can be gathered from endpoint security here: https://osquery.io/schema/5.2.2/#es_process_events
1:23 PM
I know that file integrity monitoring (also based on endpoint security) is being worked on (@sharvil is the main dev on these two)
1:24 PM
There are other, older tables, based on openbsm; I am not sure whether they are still working right now but i think the API is being deprecated
1:24 PM
If we are talking about process events, you could capture things in the parameters that could be considered private information
1:25 PM
For FIM, you would be looking at files opened, which would also I think fall in the same category
1:25 PM
I am not an expert on GDPR, I think you need consent from the users and possibly you can only store that data within Europe
1:26 PM
I think you need to talk to a lawyer to be sure, and not trust documentation as a precaution
a

A

05/04/2022, 1:26 PM
Since the company own the employees computer, we're allowed to collect data. Such as what is being searched on and what people do on their computer.
a

alessandrogario

05/04/2022, 1:29 PM
I think it depends potentially on what the computer is doing; if it's handling GDPR-protected data (like customer data for example) it's still in scope for GDPR laws
a

A

05/04/2022, 1:29 PM
yes indeed
a

alessandrogario

05/04/2022, 1:29 PM
Meaning: a company laptop may end up leaking GDPR-protected data while the employee performs their duty (like: opening personal records, etc)
1:30 PM
So i still suggest to talk to a lawyer
a

A

05/04/2022, 1:30 PM
yes πŸ™‚
s

seph

05/04/2022, 1:34 PM
As Alessandro said, osquery itself does nothing. It is a tool for structured data collection. The osquery foundation does not maintain any central osquery logging. We are not a vendor that provides that service. (Though many of us do work for vendors that do) How osquery is configured is very site specific. Both in terms of what data is collected, how it’s handled, and how thoughtful people are about the privacy implications.
1:35 PM
Speaking as a Kolide employee (eg: a vendor), we aim to be very transparent and user focused in our data collection. I would refer you to https://honest.security for our discussion about these issues.
j

Jason

05/04/2022, 1:37 PM
As @seph said, since osquery is just a tool (and not a service) - the GDPR implications are entirely dependent on the implementation of of the service, or on the IT/engineering team implementing osquery. Standalone - as a downloadable binary, it has zero GDPR implications.
a

A

05/04/2022, 1:51 PM
πŸ‘